A major security update for Chrome, addressing a staggering 79 vulnerabilities, including multiple critical flaws that could allow attackers to execute arbitrary code, corrupt memory, or escape browser sandbox protections.
The Stable channel update version 148.0.7778.167/168 for Windows and Mac, and 148.0.7778.167 for Linux, is being deployed gradually. Still, security experts warn that users should update immediately due to the severity of the issues fixed.
The update highlights Chrome’s ongoing battle against memory-safety vulnerabilities, which continue to dominate browser exploitation chains in real-world cyberattacks. Several of the patched flaws involve use-after-free errors, heap buffer overflows, and integer overflows, bug classes frequently leveraged by threat actors to achieve remote code execution (RCE).
Among the most severe issues patched in this release is CVE-2026-8509, a heap buffer overflow in WebML, reported by an external researcher and awarded $43,000. Heap buffer overflows occur when data exceeds allocated memory boundaries, potentially allowing attackers to overwrite adjacent memory and execute malicious payloads.
Another critical flaw, CVE-2026-8510, involves an integer overflow in Skia, Chrome’s graphics engine. Integer overflows can lead to improper memory allocation, creating opportunities for exploitation. This vulnerability earned a $25,000 bounty, underscoring its severity and exploitability.
Chrome Security Fixes
Google’s internal security teams also identified multiple critical use-after-free vulnerabilities across key components, including UI, FileSystem, Input, Blink, and Downloads. Use-after-free bugs occur when a program continues to use freed memory, often leading to memory corruption and exploitable conditions.
Additional critical issues include:
- CVE-2026-8516: Improper validation in DataTransfer
- CVE-2026-8517: Object lifecycle flaw in WebShare
- CVE-2026-8519: Integer overflow in ANGLE
- CVE-2026-8520: Race condition in Payments
Beyond critical flaws, the update addresses dozens of high-severity vulnerabilities affecting essential browser subsystems, including WebRTC, GPU, the V8 JavaScript engine, Media, and Accessibility.
Notable high-risk issues include:
- CVE-2026-8540: Type confusion in V8, a common exploitation vector used in browser attacks
- CVE-2026-8539: Script injection vulnerability in Sanitizer API
- CVE-2026-8524: Out-of-bounds write in WebAudio
- CVE-2026-8525: Heap buffer overflow in ANGLE
Type confusion vulnerabilities, particularly in V8, are frequently used in zero-day exploits because they allow attackers to manipulate object types in memory, bypassing security controls.
| CVE ID | Severity | Component | Reporter/attribution | Reporter/attribution | Reward | Report date |
|---|---|---|---|---|---|---|
| CVE-2026-8509 | Critical | WebML | Heap buffer overflow | c6eed09fc8b174b0f3eebedcceb1e792 | 43,000 USD | 2026-03-17 |
| CVE-2026-8510 | Critical | Skia | Integer overflow | q@calif.io | 25,000 USD | 2026-04-14 |
| CVE-2026-8511 | Critical | UI | Use after free | N/A | 2026-03-22 | |
| CVE-2026-8512 | Critical | FileSystem | Use after free | N/A | 2026-03-24 | |
| CVE-2026-8513 | Critical | Input | Use after free | N/A | 2026-03-25 | |
| CVE-2026-8514 | Critical | Aura | Use after free | N/A | 2026-03-25 | |
| CVE-2026-8515 | Critical | HID | Use after free | N/A | 2026-03-25 | |
| CVE-2026-8516 | Critical | DataTransfer | Insufficient validation of untrusted input | N/A | 2026-03-26 | |
| CVE-2026-8517 | Critical | WebShare | Object lifecycle issue | N/A | 2026-03-29 | |
| CVE-2026-8518 | Critical | Blink | Use after free | N/A | 2026-03-30 | |
| CVE-2026-8519 | Critical | ANGLE | Integer overflow | N/A | 2026-04-01 | |
| CVE-2026-8520 | Critical | Payments | Race condition | N/A | 2026-04-17 | |
| CVE-2026-8521 | Critical | Tab Groups | Use after free | N/A | 2026-04-18 | |
| CVE-2026-8522 | Critical | Downloads | Use after free | N/A | 2026-04-19 | |
| CVE-2026-8523 | High | Mojo | Use after free | Paul Seekamp / nullenc0de | 25,000 USD | 2026-02-12 |
| CVE-2026-8558 | High | Fonts | Out of bounds write | Matej Smycka | 10,000 USD | 2026-04-16 |
| CVE-2026-8524 | High | WebAudio | Out of bounds write | Brendan Dolan-Gavitt, XBOW | 7,000 USD | 2026-04-06 |
| CVE-2026-8525 | High | ANGLE | Heap buffer overflow | Nathaniel Oh (@calysteon) | 2,000 USD | 2026-03-30 |
| CVE-2026-8526 | High | WebRTC | Out of bounds write | c6eed09fc8b174b0f3eebedcceb1e792 | TBD | 2026-02-22 |
| CVE-2026-8527 | High | Downloads | Insufficient validation of untrusted input | rachmat.abdul.ro | TBD | 2026-02-23 |
| CVE-2026-8528 | High | SiteIsolation | Insufficient validation of untrusted input | N/A | 2026-02-26 | |
| CVE-2026-8529 | High | Codecs | Heap buffer overflow | N/A | 2026-03-06 | |
| CVE-2026-8530 | High | Network | Use after free | N/A | 2026-03-11 | |
| CVE-2026-8531 | High | WebML | Heap buffer overflow | Syn4pse | TBD | 2026-03-13 |
| CVE-2026-8532 | High | XML | Integer overflow | N/A | 2026-03-14 | |
| CVE-2026-8533 | High | Accessibility | Use after free | N/A | 2026-03-23 | |
| CVE-2026-8534 | High | GPU | Integer overflow | N/A | 2026-03-23 | |
| CVE-2026-8535 | High | Media | Out of bounds read | N/A | 2026-03-23 | |
| CVE-2026-8536 | High | ReadingMode | Insufficient validation of untrusted input | N/A | 2026-03-24 | |
| CVE-2026-8537 | High | ViewTransitions | Insufficient policy enforcement | N/A | 2026-03-24 | |
| CVE-2026-8538 | High | GPU | Insufficient validation of untrusted input | N/A | 2026-03-26 | |
| CVE-2026-8539 | High | SanitizerAPI | Script injection | Jungwoo Lee (@physicube), Wongi Lee (@qwerty_po) | TBD | 2026-03-26 |
| CVE-2026-8540 | High | V8 | Type confusion | N/A | 2026-03-26 | |
| CVE-2026-8541 | High | UI | Out of bounds read | N/A | 2026-03-26 | |
| CVE-2026-8542 | High | Core | Use after free | N/A | 2026-03-28 | |
| CVE-2026-8543 | High | FileSystem | Out of bounds read | N/A | 2026-03-28 | |
| CVE-2026-8544 | High | Media | Use after free | N/A | 2026-03-28 | |
| CVE-2026-8545 | High | Compositing | Object corruption | N/A | 2026-03-29 | |
| CVE-2026-8546 | High | GPU | Out of bounds read | N/A | 2026-03-29 | |
| CVE-2026-8547 | High | Passwords | Insufficient policy enforcement | N/A | 2026-03-30 | |
| CVE-2026-8548 | High | Media | Out of bounds write | N/A | 2026-03-30 | |
| CVE-2026-8549 | High | Media | Use after free | N/A | 2026-03-31 | |
| CVE-2026-8550 | High | Google Lens | Use after free | N/A | 2026-03-31 | |
| CVE-2026-8551 | High | Downloads | Use after free | N/A | 2026-04-01 | |
| CVE-2026-8552 | High | GPU | Heap buffer overflow | N/A | 2026-04-01 | |
| CVE-2026-8553 | High | GPU | Use after free | N/A | 2026-04-01 | |
| CVE-2026-8554 | High | ANGLE | Type confusion | N/A | 2026-04-03 | |
| CVE-2026-8555 | High | GTK | Use after free | N/A | 2026-04-06 | |
| CVE-2026-8556 | High | ANGLE | Inappropriate implementation | N/A | 2026-04-06 | |
| CVE-2026-8557 | High | Accessibility | Use after free | N/A | 2026-04-15 | |
| CVE-2026-8559 | High | Internationalization | Integer overflow | N/A | 2026-04-20 | |
| CVE-2026-8560 | Medium | SwiftShader | Heap buffer overflow | Cassidy Kim (@cassidy6564) | TBD | 2024-03-05 |
| CVE-2026-8561 | Medium | Fullscreen | Incorrect security UI | Wolfgang Ettlinger, Alexander Hurbean (Certitude) | TBD | 2024-05-29 |
| CVE-2026-8562 | Medium | Navigation | Side-channel information leakage | N/A | 2021-10-06 | |
| CVE-2026-8563 | Medium | IFrame Sandbox | Insufficient policy enforcement | Luan Herrera (@lbherrera_) | TBD | 2022-10-04 |
| CVE-2026-8564 | Medium | Downloads | Incorrect security UI | Alesandro Ortiz | TBD | 2025-05-16 |
| CVE-2026-8565 | Medium | Downloads | Inappropriate implementation | Farras Givari | TBD | 2025-09-04 |
| CVE-2026-8566 | Medium | Payments | Insufficient policy enforcement | Jorian Woltjer | TBD | 2025-12-21 |
| CVE-2026-8567 | Medium | ANGLE | Integer overflow | cinzinga | TBD | 2026-02-16 |
| CVE-2026-8568 | Medium | AI | Insufficient policy enforcement | Tianyi Hu | TBD | 2026-03-01 |
| CVE-2026-8569 | Medium | Codecs | Out of bounds write | N/A | 2026-03-06 | |
| CVE-2026-8570 | Medium | V8 | Type confusion | N/A | 2026-03-06 | |
| CVE-2026-8571 | Medium | GPU | Insufficient policy enforcement | Mark Blaszczyk | TBD | 2026-03-10 |
| CVE-2026-8572 | Medium | Network | Insufficient policy enforcement | N/A | 2026-03-23 | |
| CVE-2026-8573 | Medium | Codecs | Integer overflow | N/A | 2026-03-23 | |
| CVE-2026-8574 | Medium | Core | Use after free | N/A | 2026-03-24 | |
| CVE-2026-8575 | Medium | UI | Use after free | N/A | 2026-03-25 | |
| CVE-2026-8576 | Medium | CORS | Inappropriate implementation | N/A | 2026-03-25 | |
| CVE-2026-8577 | Medium | Fonts | Integer overflow | N/A | 2026-03-25 | |
| CVE-2026-8578 | Medium | GPU | Out of bounds read | N/A | 2026-03-26 | |
| CVE-2026-8579 | Medium | Skia | Insufficient validation of untrusted input | N/A | 2026-03-26 | |
| CVE-2026-8580 | Medium | Mojo | Use after free | N/A | 2026-03-26 | |
| CVE-2026-8581 | Medium | GPU | Use after free | N/A | 2026-03-28 | |
| CVE-2026-8582 | Medium | Dawn | Object lifecycle issue | N/A | 2026-03-30 | |
| CVE-2026-8583 | Medium | WebXR | Insufficient policy enforcement | N/A | 2026-03-31 | |
| CVE-2026-8584 | Medium | Views | Inappropriate implementation | N/A | 2026-04-02 | |
| CVE-2026-8585 | Medium | Media | Inappropriate implementation | N/A | 2026-04-02 | |
| CVE-2026-8586 | Medium | Chromoting | Inappropriate implementation | N/A | 2026-04-03 | |
| CVE-2026-8587 | Medium | Extensions | Use after free | zh1x1an1221 (Ant Group Tianqiong Security Lab) | TBD | 2026-04-28 |
Meanwhile, multiple flaws in GPU and media processing components indicate continued risks tied to hardware acceleration and complex rendering pipeline areas historically targeted by advanced threat actors.
Security researchers note that many of the patched vulnerabilities align with techniques observed in real-world exploit chains. Attackers often combine multiple bugs, such as a renderer exploit with a sandbox escape, to fully compromise a system.
For example, a typical attack chain could involve:
- Triggering a heap overflow via a malicious webpage
- Leveraging a V8 type confusion bug for code execution
- Escaping the sandbox using a UI or GPU vulnerability
Such multi-stage exploits are commonly used in targeted attacks, including spyware campaigns and advanced persistent threats (APTs).
Although Google has not confirmed active exploitation of these specific CVEs, the company has restricted detailed bug disclosures until a majority of users have updated, suggesting a high risk of weaponization.
Mitigation
Google continues to rely heavily on automated security tools and fuzzing frameworks to detect vulnerabilities before they reach users. Technologies such as AddressSanitizer, MemorySanitizer, and libFuzzer play a crucial role in identifying memory corruption bugs during development.
Additionally, Control Flow Integrity (CFI) and sandboxing mechanisms provide layered defenses that make exploitation more difficult, even when vulnerabilities exist.
The Chrome Vulnerability Reward Program (VRP) also incentivizes external researchers to report bugs responsibly, with payouts in this release exceeding $10,000 for critical findings.
This Chrome update reinforces a broader industry trend: memory safety remains one of the biggest challenges in modern software security. Despite ongoing efforts to adopt safer programming languages and architectures, legacy components and performance-critical modules continue to introduce risk.
Browsers, in particular, are high-value targets because they process untrusted content from the internet. A single unpatched vulnerability can allow attackers to compromise endpoints, steal sensitive data, or deploy malware. Organizations should treat browser updates as critical security patches, not routine software upgrades.
To mitigate risk, users and IT administrators should:
- Update Chrome immediately to version 148.0.7778.167 or later
- Enable automatic updates to ensure timely patching
- Monitor endpoints for unusual browser behavior
- Use endpoint detection and response (EDR) tools to detect exploitation attempts
- Apply defense-in-depth strategies, including sandboxing and network isolation
Enterprises should also verify that all managed devices receive the update, especially in environments where browser-based attacks could lead to lateral movement.
FAQ
What is the most critical vulnerability fixed in Chrome 148?
CVE-2026-8509, a heap buffer overflow in WebML, is the most critical due to its potential for remote code execution.
How many vulnerabilities were patched in this update?
Google fixed 79 security vulnerabilities in Chrome 148.
Are these Chrome vulnerabilities actively exploited?
Google has not confirmed active exploitation, but restricted disclosures indicate a high risk of weaponization.
Why are use-after-free bugs dangerous in Chrome?
They allow attackers to access freed memory, leading to memory corruption and possible code execution.
Site: thecybrdef.com
For more insights and updates, follow us on Google News, Twitter, and LinkedIn.
About the Author
